"The Transport Layer Security (TLS) Protocol Version 1.2" (RFC 5246) clearly states "The TLS protocol provides communications security over the Internet"

Yet everyday millions of people work behind TLS Proxies that provide no security and no indication to the end-user that the connection is NOT secure. Some of these conditions are "legal" TLS Proxies operated by organizations that the End-User has provided their consent to their employers to perform surveillance on them. There are of course MANY others that the typical Internet user has no idea that they are using a TLS Proxy.

Many "free" WI-FI systems and most Hotel and Motel systems utilize TLS Proxies often operated by their chosen provider.

Many Internet Providers utilize TLS Proxies for all of their connections.

A TLS Proxy typically Decrypts the "supposedly" secure TLS communication and perform inspection and logging of data all unknown to the end-user. TLS Proxies are of course subject to review by any number of Government authorities often without the end-user being notified.

Many of these TLS Proxies generate certificates on-the-fly and present them to the user as a "valid" certificate signed by one of the hundreds of Certificate Authorities builtin to the browser or added by the employer.

Regardless of the technology used, the TLS Proxy is by definition a Man-In-The-Middle attack and TLS does not detect the attack. Which clearly does not "The TLS protocol provides communications security over the Internet"

Even the United States Department of Homeland Security has noted this HTTPS Interception Weakens TLS Security[2]

Violates Many Privacy Laws and degrades Trust#

Certainly the Law of Human Integration

Most of the Laws from Privacy by Design including:


Internet users, including many security professionals, often blindly rely on SSL/TLS to provide the confidentiality and integrity of our personal data, at least when using our web browsers. We expect SSL/TLS to do so even in the face of attackers with the ability to hijack and redirect our network connections and DNS traffic (i.e., a Man-In-The-Middle attack).

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 25-Jun-2017 09:55 by jim